I am not part of the DEFCON community, but every year I hear about warrantless searches, equipment seized art the border and hacker arrests. I wonder why anyone, not least security researchers, would take the risk of going there. Just so as you guys know, we have conference facilities in Europe...
Much of the "we stand up to authority" hubbub of US security researchers and developers is mostly an act. The sentiment is there to comfort the participants and validate their existence, just like in many other industries. While I hope I am wrong I wouldn't expect people not to fold when it matters. Somewhat understandably so since the current alternative is arguably, or at least ultimately, exile.
Just look at this situation. Unless hotel security have been breaking the law, which is unlikely, staying at these hotels means they can legally search your room and possibly your things. The only thing standing in the way of this is the reaction from the organizers and attendees. So if you care about your rights you don't really have much of a choice than to react and moving, at least out of Las Vegas, shouldn't be a hard decision.
And this would be illegal in at least part of Europe since a hotel room is categorized as a temporary residence.
From my very basic understanding of what transpired, the hotel security were trespassing by entering a rented room. I'm not altogether familiar with state law in Nevada, but that could certainly be argued in California.
Exactly. Cops can't break into a hotel room without a warrant, but agents of the management might be able to, depending on local laws. The 4A doesn't apply to them.
That's because the 14th Amendment extends the "due process" requirement to the states, and under the [Incorporation Doctrine](https://www.law.cornell.edu/wex/incorporation_doctrine) respecting the 4th Amendment has been considered part of "due process".
Surely this mostly depends on what you care about? Refusing to unlock a device at the border has much heavier (potential) consequences than requesting an alternate search, but I think there are a lot of people who willingly go through body scanners and wouldn't unlock a device.
You're absolutely right! Europe has conference facilities!
Of course, most places in Europe also have much stricter laws on guns. Many places aren't quite into the whole "free speech" thing in the way Americans are. These things are pretty important to a large number of attendees.
DEFCON is probably best regarded as a regional North American hacker con that reflects the culture and history of North American hackers. You cannot transplant DEFCON and preserve its cultural history. This is an issue of some concern, as it's the people and culture that matter the most at DEFCON rather than the conference that someone who has never attended might reasonably assume. After all, it's just a conference, right?
Continental Europe already has CCC. DEFCON's roots and history tie is pretty firmly to Vegas.
I'm not quite following, apart from firing guns, what is it you can do in Vegas that took can't do in Europe? Or are you saying the guns are what makes DEFCON?
People routinely and unremarkably carry weapons upon their person at DEFCON. It's a reasonably common event, to the point where early pictures of DEFCON events sometimes contained more guns than laptops. The yearly shoot is a social fixture.
Guns are an easy example. Lockpicks are another - the UK does not smile on them. I'm saying you cannot readily relocate DEFCON to a randomly selected European conference venue without fundamentally transforming it into something that is no longer the DEFCON we know and love.
To put it another way, your suggestion and incomprehension underscores that you understand DEFCON as a conference. An event where people talking at halls of other people is the main thing that matters. I'm trying to communicate that it is a convention and cultural touchstone enabled by the unique confluence of laws in Nevada and the willingness of casinos to cooperate with wealthy groups.
It's very easy to suggest that an event be moved somewhere else. Why not move Jeremy Corbyn's next rally to, I dunno, Canada? There are halls for rent there too! It's perhaps more subtle to understand that there are other things than bare physical requirements that tie an event and a place together.
> Why not move Jeremy Corbyn's next rally to, I dunno, Canada?
Because Jeremy Corbyn is a politician whose constituency is in the UK. The just makes DEFCON sound parochial
> Lockpicks are another - the UK does not smile on them.
Yet locksmiths in the UK routinely carry them.
You seem to be trying to paint a picture of Vegas being free, and Europe being oppressive. There are plenty of things that are legal in parts of Europe that are not in the USA. What you have really succeeded in doing is painting a picture that DEFCON is so much about guns that you would not trade the guns for anything.
> Because Jeremy Corbyn is a politician whose constituency is in the UK. The just makes DEFCON sound parochial
You're exactly right! His events are tied to a place. Perhaps DEFCON is a convention whose primary constituency is in North America in the same way that CCC is a convention whose primary constituency is in continental Europe.
> Yet locksmiths in the UK routinely carry them.
Because they're licensed for such. Random people are subject to arrest for doing the same thing. Which would mean that nearly everyone who visits the lockpick village would be subject to arrest and a goodly number of other attendees. We're talking about thousands of people, arrested for having funny-shaped little bits of metal.
What I'm saying is that you are possessed of the wonderful opportunity to come to a greater understanding of what DEFCON - and its community - are. It's perhaps possible that you may stand to benefit by perhaps seeking first to understand the thing you wish others to consider changes to.
I wonder why anyone, not least security researchers, would take the risk of going there.
Because this is what fear has done to the world. As much as I hate the status quo, caving in and not going when I've done nothing wrong only serves to perpetuate it.
Had a room visit. The two security guys were friendly in that weird way where they're all smiley and talkative, but completely ignore anything you say. Weird stuff.
Oh, and they made fun of how much I paid for room service, which is weird because it's overpriced to help pay their salaries... shrug
I get the why of what they're doing, but they didn't look through anything, so if I was planning something I could have had it all just in my dresser.
Defcon is moving to Paris, Bally's, and Planet Hollywood next year, but those are all Caesar owned properties, so it doesn't address anything. Although the room service may be cheaper.
> Defcon is moving to Paris, Bally's, and Planet Hollywood next year, but those are all Caesar owned properties, so it doesn't address anything.
DEFCON was at Bally's and Paris for two or three years two or three years ago. The theory a few of us have is the Caesar's Palace people were looking for soldering equipment (that might damage their tables) and that Caesar's doesn't care as much if there is damage to their less prestigious properties.
The last time I went to Defcon, someone drove the security golf cart into the pool. Others were flushing bags of concrete down the toilet. There's damage, and then there is Defcon.
The age requirement for Defcon is 18. There is also a large cross section of counter culture and drug culture. There were many parties happening. I recall smoking salvia out of a hooka, which later tipped and burned the bed sheets. A random guy came in to the party with a 50 gallon trash bag full of dried salvia.
Yes, there were a number of intelligent looking young children there. This however is only in furtherence of the argument that we must set good examples.
Frat houses[1] are known for having a lot of parties. This partying will crescendo around the university's graduation date. DEFCON is being compared to one of these peak parties.
Black Hat is a bit more subdued. It costs a lot more to attend Black Hat. Black Hat parties are more like casual social gatherings. I believe that in Europe, country clubs are more likely to be called gentlemen's clubs. In either case, it's usually the richer people attending.
The room can't be used while it's being repaired, and people would push back pretty hard if they were charged for lost business too. People also tend to dispute damage charges.
Everything on the strip is jacked up beyond anything I've ever seen in Tokyo or NYC. Pizza delivery might work, but otherwise... literally everything on the strip is jacked. I can find $1 slice pizza in Manhattan. Less-good version in Vegas? $6.
Vegas has discovered that it doesn't really matter what they charge. People will pay it. Gone are the days where they subsidized food costs with gambling revenue -- I really wouldn't be surprised if the casino floor cocktailers disappeared in the near future.
> because it's overpriced to help pay their salaries
That's something you assume but cannot know unless you had a look at their books. Paying security out of room service seems quite odd. I don't think that the salary of security is based upon room service at all.
Apparently these security people weren't that useful security wise, but maybe it's more that they know that too.
What? Money that people pay for room service is money flowing into the business, all of which helps pay staff salaries. I didn't realise there was any controversy around this arrangement.
Katie Moussouris (https://twitter.com/k8em0) is, unsurprisingly, spot on with the problems from her experience. Being able to verify that people trying to get into your room are indeed hotel security is a perfectly valid request. Trusting an ID badge is always laughable, but even more so in an environment like Defcon. While the privacy concerns aren't invalid, the safety issue posed by this policy are much more concerning.
If a woman is worried about being put into a situation where they feel they are at more risk of assault/rape they should be listened to. Its a shame that is being drown out in favor of the invasion of privacy narrative.
At a hotel I stayed at in Hinton, Alberta (pop. 15,000, which had a bad drug epidemic at the time), the laminated hotel security card on the bed specifically said that, at nighttime, if someone knocks on the door claiming to be from the hotel, first call the front desk to verify that a houseman had actually been sent. This is a solved problem.
Which wouldn't be a problem if the hotel made an official policy of "guests may call the front desk to verify the security guard, both of whom will co-operate in verification" (and enforced it).
The problem, as I read it, is that the hotels started more intrusive checking by security guards without considering or providing for the needs of some guests to be less than fully co-operative (for good reasons).
If you feel the need to call the cops because of interactions with hotel security, the hotel has fucked up in a major way. The hotel should be taking reasonable steps to make their guests feel safe, and having security guards provide verification of their identity when requested is something that they absolutely need to be doing.
It's not the you necesarily think you're facing an invasion, but if someone knocks on my door claiming to be hotel security, I'd much prefer to be able to verify them before opening the door. There are lots of options between "open the door to someone unknown" and "call the police".
All of the big resorts in Las Vegas are going through a period of change regarding security. It's been a very traumatic 10 months for that industry in that location.
Caesars, and the other hotels, are trying to find a balance between the security needs of the guests and the security needs of the staff. It's going to take time to work everything out.
Just a few weeks ago, the hotels reached an agreement the maids union to provide every one of them (20,000, at least) with wireless panic buttons that geolocate them down to the floor and room. Even Google doesn't have that kind of granularity.
And all of the security changes have to be worked out between the property, Metro (the regional police force), the FBI and others. It's a complicated process.
What happened to a small number of people at DEFCON is sad and wrong. But chances are it's wasn't malicious. On a busy weekend, 350,000 people visit Las Vegas. The number of people affected by what happened in the blog post is less than a rounding error. Mistakes happen. Security people are still people. Life will never be perfect when you interact with wetware.
For the record, our room bill at Caesars alone came in at over $50K
$50k is nothing to Caesars. You see bar receipts for more than that discarded on the floors of the nightclubs there.
/Written from a nearby property, overlooking Caesars
> All of the big resorts in Las Vegas are going through a period of change regarding security. It's been a very traumatic 10 months for that industry in that location.
The thing is, they don't need to be going through a change. A crazy man did a crazy thing; that's no reason to upend life. The next lunatic's lunacy will very likely be different.
As an aside, I had no idea that there are hotels which conduct weapons searches (and hence presumably ban weapons). Do they offer guests a place to check their weapons?
The thing is, they don't need to be going through a change. A crazy man did a crazy thing; that's no reason to upend life. The next lunatic's lunacy will very likely be different.
In a logical, computerized, HN-centric world, that is correct. But we live in a world filled with people, who aren't always logical. The hotels also have to think about insurance liability, lawsuits, and a million other wetware factors.
Do they offer guests a place to check their weapons?
It is possible, but I don't know for sure. The reason I say it's possible is because there are a lot of people who fly to and through Las Vegas to go hunting, and stay in the casino resorts because they're all very close to the airport.
Earlier this year there was a news story because someone was stopped at the TSA checkpoint because they found a dead cougar in his luggage from a hunting trip.† They let him go because it was weird, but not "Vegas weird," and not illegal.
To illustrate how close the resorts are to the airport, the runways had to be shut down during the October 1 massacre because a number of people fleeing the festival grounds ended up on the tarmac.
Another reason it's very likely that weapons can be checked is because Las Vegas hosts several enormous hunting, weapons, and arms conventions throughout the year.
Also, having lived in both Nevada and Texas, IMO, the chances of some random (local) stranger having a concealed weapon on him is exponentially higher in Nevada than even Texas.
Rather than the Las Vegas attack, I’d rather expect DEFCON to be hurt by the arrest of Marcus Hutchins. Surely it should have given cold feet to some of the most interesting guests and speakers.
From what is currently known it seems plausible that Marcus Hutchins should at least be under investigation. Some of the things he has done in the past were murky. Stopping a large ransomware attack (by accident) does not change that fact.
I have not seen remarks in the security community that people were afraid of being arrested out of the blue like Marcus Hutchins.
Just because they're interesting doesn't put them above the law; Marcus was arrested under suspicion of creating, spreading and selling the Kronos malware. That is a federal crime.
On the other hand Black Hat Asia is freaking awesome and pretty much the best BH I've been to and I keep hearing about CCC being way better thsn Defcon. There are options outside the US!
Also if you're into crypto you should go to the summerschool in Croatia or the workshops at Eurocrypt!
CCC is very different to DEF CON, and I wouldn't say it's a "hackers" vs "industry" split either, because BlackHat is the more industry focused conference in the US, DEF CON has traditionally been the one for the hackers.
I think the differences between CCC and DEF CON are roughly:
- CCC is much more political, more about making statements about privacy, etc. There are often journalists there, and there's much more of a balance between political/cultural/privacy issues, and the tech side of hacking.
- CCC is based in the European hacker counter-culture which is quite different to the US hacker counter-culture.
- CCC is a bit more community focused, being very low-budget, accessible ticket prices, more hostels than hotels, etc.
While this is nice if you are just interested in some of the talks it's not really a substitute for being there, meeting people and taking in the atmosphere (for me at least. There's a lot of things you don't see in the streams, like the venue, the tents and all the small cool things in the assembly area.
I have been once a few years ago. Some of it is certainly enjoyable, like meeting people you know from the Internet or wouldn't have meet otherwise. And overall the organizers are doing a good job. But it feels like a lot people go year after year no matter what, in a bad way. Thousands of similar people talking about the same things year after year. Add to that the cost and logistics of it all, and don't feel much of a need of going again.
So I might be worth it for people who haven't experienced that sort of thing. But otherwise I would recommend watching online with some friends and travelling someplace else for new experiences.
From https://marcrogers.org/2018/08/13/open-letter-to-the-hacker-.... (linked in the article):
"Yes hotel staff NEED to check rooms but if we, who can change the very building blocks of life, can’t come up with a safer way to do this then we really aren’t trying hard enough."
No, they don't. They have thousands of security cameras set up, and I'd be shocked if they didn't have technologies like facial recognition built in. They have the ability to do a background check on every guest who checks in. They also have people working the front desk who likely get training to see if you're a "bad guy" or not.
So with all that, please explain why this additional search, which is a massive violation of privacy (and apparently the Constitution) is necessary?
Not a violation of the Constitution unless government agents searched rooms without warrants or permission. Management of the hotel are bound by local laws and their own policies, but not by the constitution.
Rationale: You can always choose another hotel with policies you like better, but you can't choose another government. Constitution only applies to governments for that reason.
We've[1] had a few back and forths with people who were there. It's hard to say what the impact will be on DEFCON but the thing that was clear to us was that it's safety that's important.
To that end I've written to our venue and we'll be putting out a statement regarding exactly under what circumstances the hotel may enter your room, and what to do if you don't want to consent.
This isn't an easy thing for events in the US to deal with, and while we're based in the UK we get a lot of US citizens attending. The rules are different here, hence the decision to find out the rules and put them up so everyone's clear. In that respect, I think Marc Rogers was right to make a comment as it's clear a ball was dropped somewhere, and it came under his bailiwick. I don't believe for a second that he should resign, especially when I'm certain he'll double down on making sure things are better next time.
I was utterly horrified with Katie Moussouris' situation and absolutely will not stand for something like that happening in London. There'll be something up on the blog and mailing list once we hear back from the ILEC.
Surely this is at the very least a breah of privacy, and possibly a warrantless search? A hotel room, while occupied by a paying customer, should be treated as private property.
Warrantless search only applies if it was the police going in there; if it's hotel security, and if the terms and conditions of said hotel indicate hotel security can enter your room at any given time, then you'll have nothing.
> Warrantless search only applies if it was the police going in there; if it's hotel security, and if the terms and conditions of said hotel indicate hotel security can enter your room at any given time, then you'll have nothing.
I doubt those terms are legal enforceable if they exist. Even apartment building owners in the US can't enter arbitrarily, especially if you're not present.
Tenant’s rights laws control when and how an apartment owner can enter the residence.
Those laws don’t really exist for hotels in the USA as far as I know. Hotels are categorized as temporary dwellings and are regulated much differently.
> Is there a right to privacy in my hotel room?
Generally, yes, you have a right to expect privacy in your hotel room as long as you are using the hotel room in a normal, responsible way. However, if you are engaging in anything illegal or disturbing other guests, hotel management can enter your room without your permission. [0]
The quote's not from a definitive source but there is language like that all over the internet. Merely attending a conference does not a criminal make, so I think the hotel has a thin defense here.
Leasing an apartment, and it being filled with all of your possessions, is a quite different situation than a short-term rental of a hotel room, and I'd wager the legal system sees them as different.
You are on their property. If you refuse, you’ll be forced to leave. Does that make what they did ethical, no, but it’s 100% within their legal rights. Same goes if I was a guest at your house, even if I was paying to stay there.
You'll find that once you accept payment for them staying there your rights are curtailed depending on which state you live in. Your blanket statement isn't even close to true in quite a few places inside the US.
(I was stating my opinion, you are the one claiming I am factually wrong and not providing any proof, further a quick google search proves I was correct in my statement too based on reputable legal sites)
As I suspected and why I said citation needed, you went on an irrelevant tangent into tenancy law. How does that link negate anything I said? If I had said “I could force you to leave my home immediately”, yes, that link would sorta apply, but I didn’t (evicting you via the courts is “force you to leave”). The conversation is specifically around your right to privacy when staying at property you don’t own. Yes, fourth amendment would prevent the property owner from letting police in under many (but not all) circumstances, but there is virtually no law preventing them from “violating your privacy” entering at their will. The laws that do apply generally only dictate notice periods, and even in those cases they have exceptions for emergencies, which ensuring security when they feel there is a credible risk qualifies.
Again, shady as hell ethically what they did and how they did it, but still very legal.
They don't make any sense. Anyone planning something will now anticipate this. It only discourages honest people from staying in a traditional hotel. You can either relax in an air-bnb or worry about the hotel service demanding entry to your room (while being reminded of horrific mass shootings).
You're trying to make it sound like AirBnB would be a better option, but just no. A hotel has accountability at least. AirBnB as an organization has and takes none, and you have to deal with the individual and their house yourself. A hotel chain has their reputation to maintain, a random guy renting out his apartment doesn't.
That's true but the sad thing is that random people renting out their apartments are, in practice, more accountable via airbnb reviews than a major hotel chain who can implement an evil policy like this across their properties and do a lot of damage before it's reined in.
I can imagine a (three-letter-agency) renting out places on AirBnB and the likes and wait for a fish to be caught in the net. Esp. in Vegas if only for gambling-related fraud (initially, at least).
Where did you get the notion that it's normal and accepted? Have you read the article? Have you even read the title? "Debacle" does not mean the same as "normal and accepted".
I would like to draw attention to the following statement from the story by Katie Mousouris, linked to in the OP's article:
>The hotel employee ID card I was finally shown had the photo rubbed off. It was only shown after I had been screamed at & the door pounded on, which was after I had politely asked to verify their IDs by calling downstairs.
Was the ID badge even legit? Unless the latching lock was in place on the door, these people representing themselves as hotel security personnel should have been able to open the door with their own master keys, correct? Whey should they scream and beat at the door after being politely asked a perfectly reasonable question/request?
Consider that these were not legit security personnel, and that the hotel may have been working with some undisclosed entity to target select DEFCON attendees.
Edit: Seeing how the 4th amendment prevents the government from accessing a hotel room, why on earth wouldn't a state actor parter with a private entity to gain access?
who thinks it's a good idea to host anything in the US in 2018. they should host both blackhat & defcon outside the US also to include infosec experts that are otherwise discriminated against. (anyone with a Muslim name or simply an non-US passport). Fuck that country and fuck their events.
I can understand your frustration and there are valid concerns. As much as I like Las Vegas there are very real reasons not to have events like this in the US.
If I recall, there was one set of Python-related conferences that rotated every other year in/out of the US for this reason. While some people would go anywhere, a lot of people really didn't want to go to the US.
The worst part of this situation is that it really accomplishes nothing while opening up avenues for potential abuse. Access to the guest floors did not require any proof of occupancy despite the elevators being equipped with keycard readers, and there was no verification that the security personnel even belonged to Caesar's. How difficult would it really be for someone to pose as a member of the security staff in order to gain access to any room of their choice once this procedure is expected?
Lavish rooms as well. When I go to Defcon, I usually see vendors purchasing the ultra pricey penthouses and throwing parties in them to show out for potential customers. The most ridiculous one I saw was one at Hard Rock with a bowling alley in the room and a rock band playing on the bowling lane, and a giant hottub full of ice with free booze in it.
I went to Vegas November last year, albeit just for a weekend of fun, and I didn't experience any of this. I wouldn't have known there was a shooting if it wasn't for the fences around Mandalay Bay that we drove by on our way in.
I was at DEFCON. I stayed at Caesars. I had a lot of odd stuff in my room. I had no problems.
Security never entered my room, nor did they want to. Why? Because I did the simplest thing. I didn't keep the DND sign on the door so I had normal maid service. I like fresh towels and made beds.
If you leave your DND up, security will come to your room once a day and take a quick visual inspection. Yes, we all know this is mostly 'theater'. If you're there alone and are uncomfortable with people in your room when you're alone, then stand outside the room during the inspection.
Some people aren't happy unless there's drama. I see many people at DEFCON who imagine they're 007 and a host of three letter agencies are interested in them. Good for them! (I suspect Marc Rogers, the DEFCON security person who resigned, simply didn't want to deal with drama anymore when there are real battles to fight.)
For the rest of us, it's a nice convention where we can talk to real engineers and security researchers about problems that affect us.
> For the rest of us, it's a nice convention where we can talk to real engineers and security researchers about problems that affect us
Good for you. I'm glad you got a chance to talk to real engineers and security researchers about problems that affect you. I hope you feel more secure as a result.
There are a number of other attendees who would also like to discuss the security problems that affect them, such as the notion that putting up a DnD sign on your hotel door is an implicit expectation that random men will corner you in your room. If these visitors aren't who they say they are, the only way out is through them. It being a convention of professional hackers, the fact that the only thing between you and an intruder is an electronic lock does not bestow much confidence in one's security.
Is it ok with you if we discuss this for a bit? Hopefully it doesn't get in the way of the important engineering and security research weighing on your mind.
